Principal, GRC Automation and Cyber Risk

Introduction At F5, we strive to bring a better digital world to life. Our teams empower organizations across the globe to create, secure, and run applications that enhance how we experience our evolving digital world. We are passionate about cybersecurity, from protecting consumers from fraud to enabling companies to focus on innovation. Everything we do centers around people. That means we obsess over how to make the lives of our customers, and their customers, better. And it means we prioritize a diverse F5 community where each individual can thrive. Role Overview The Principal, GRC Automation & Cyber Risk Quantification is a senior engineering and strategic leadership role responsible for designing, implementing, and scaling automated, data‑driven cyber risk and GRC capabilities across the enterprise. This role blends deep cyber risk management expertise with hands‑on software engineering, GRC platform architecture, workflow automation, API development and systems integration, and emerging AI‑enabled and Agentic capabilities to modernize how the organization manages risk, compliance, and governance at scale. Reporting Reporting to the VP, Cyber Governance, Risk & Compliance, this role serves as a force multiplier for the GRC organization, translating complex regulatory and risk frameworks into automated controls, continuous monitoring workflows, decision‑ready dashboards, and audit‑ready evidence. The principal is expected to write, review, and own production‑quality code and partner closely with ERM, Engineering, IT, Legal, Privacy, Internal Audit, and Digital teams to embed risk intelligence directly into business and technology processes. Key Objectives Shift GRC from manual, point‑in‑time assessments to continuous, automated, and risk‑informed execution by leveraging purpose‑built engineering solutions, Python‑based tooling, and Agentic workflows. Enable executive and board‑ready cyber risk insights grounded in quantitative and business‑relevant data, supported by automated data pipelines and integrations. Standardize and automate control mapping, testing, evidence collection, and risk reporting across frameworks and regulators through scalable API‑driven architectures. Primary Responsibilities GRC Automation & Platform Architecture Design – Build, evolve end‑to‑end GRC automation across risk, compliance, policy, and issue management. Write and maintain Python‑based automation scripts, services, and tools. Integrate GRC workflows with source systems via RESTful APIs, webhooks, and event‑driven patterns. Architect and maintain a systems integration layer connecting GRC platforms to enterprise data sources. Cyber Risk Quantification & Decision Enablement – Partner to operationalize quantitative and scenario‑based risk analysis (FAIR). Engineer pipelines ingesting threat, vulnerability, asset, and business context data. Leverage Python data libraries (pandas, NumPy) and Agentic workflows. Enable financially grounded cyber risk outputs: risk acceptance, investment decisions, executive reporting, program roadmap. Compliance Automation & Continuous Monitoring – Translate regulatory requirements into automated, testable, traceable controls. Implement continuous control monitoring and evidence refresh for ISO, SOX, SOC, and audits. Standardize artifacts, workflows, and narratives across compliance programs. Partner with Internal Audit and external auditors. AI‑Enabled GRC & Agentic Development – Design, build, deploy autonomous AI‑driven agents for GRC tasks. Control mapping, gap analysis, risk scenario generation, policy‑to‑control alignment. Agentic issue triage, remediation recommendations, autonomous evidence collection. Integrate LLM‑based frameworks (LangChain, AutoGen, etc.) into workflows. Ensure alignment with security, privacy, governance standards. API and Systems Integration – Design, develop, maintain RESTful and GraphQL APIs. Expose GRC data and capabilities to dashboards and downstream consumers. Own integration architecture connecting GRC to security tools, cloud, HR, asset management, third‑party risk platforms. Enforce API governance: versioning, authentication, documentation, rate management. Build middleware, ETL pipelines, event‑driven connectors. Stakeholder Partnership & Influence – Serve as trusted advisor to security, IT, engineering, business leaders. Embed GRC into SDLC, cloud, procurement, third‑party workflows. Translate technical implementations into executive‑ready narratives. Knowledge, Skills & Abilities Knowledge: Deep understanding of cyber risk management and GRC frameworks (NIST CSF, NIST 800‑53/171, ISO 27001, SOC 2, SOX). Strong grasp of enterprise risk management concepts and alignment. Working knowledge of quantitative cyber risk analysis (FAIR or similar approaches). Familiarity with audit, regulatory, and certification processes. Understanding of software engineering principles, API design patterns, and systems integration methodologies. Knowledge of Agentic AI frameworks and multi‑agent system design principles. Skills: Expertise designing and automating workflows within ServiceNow IRM or comparable GRC platforms. Proficient Python developer—ability to write clean, maintainable, production‑ready code for automation scripts, data pipelines, API clients, and Agentic workflows. Experienced in API development and integration—designing and consuming REST APIs, managing authentication (OAuth, API keys), building integration layers. Demonstrated systems integration experience connecting heterogeneous enterprise systems through APIs, webhooks, message queues, or ETL frameworks. Hands‑on experience with Agentic development—building autonomous AI agents using frameworks. Ability to translate abstract frameworks into practical, automated, and scalable implementations. Strong systems thinking, connecting people, process, technology, and data. Excellent written and verbal communication skills, including executive storytelling. Abilities: Operate comfortably at both strategic and hands‑on engineering levels. Influence without authority in a highly matrixed environment. Drive change from legacy/manual processes to modern, code‑driven automated execution. Independently scope, build, and ship engineering solutions with minimal oversight. Qualifications Bachelor’s degree in Cybersecurity, Information Systems, Computer Science, Engineering, Risk Management, or related field. 10+ years of experience across cybersecurity, risk management, GRC, or security architecture—at least 3–5 years in engineering or software development. Demonstrated Python programming proficiency applied to automation, data processing, tooling, or security use cases. Proven API development and integration experience, including designing, building, and consuming APIs in enterprise environments. Demonstrated systems integration experience connecting GRC, security, cloud, or enterprise systems at scale. Demonstrated experience automating or scaling GRC, risk, or compliance programs using enterprise platforms. Strong experience partnering with cross‑functional technical and business teams. Preferred: Master’s degree. Experience with FAIR or quantitative risk methods. Hands‑on Agentic AI development—building and deploying autonomous agents for task automation, decision support, or workflow orchestration. Familiarity with LLM orchestration frameworks (LangChain, LangGraph, AutoGen, CrewAI, or similar). Experience with Python data and automation libraries (pandas, NumPy, FastAPI, Celery, Airflow, etc.). Experience with API gateway tooling, integration platforms (MuleSoft, Boomi, Workato), or message broker systems (Kafka, RabbitMQ). Hands‑on experience with AI, data analytics, or workflow automation applied to GRC use cases. Professional certifications (CISSP, CISM, CRISC, Open FAIR). Why This Role Matters This role is foundational to advancing the organization’s GRC maturity by reducing friction, increasing signal, and enabling leadership to make faster, better‑informed risk decisions. It is a highly visible engineering leadership position with direct impact on audit outcomes and enterprise risk posture. The ideal candidate balances Python coding, Agentic workflows, and executive risk insight presentation. Compensation Annual base pay: $167,200.00 – $250,800.00. F5 maintains broad salary ranges that vary by knowledge, skills, experience, geographic location, and market conditions. Additional compensation may include incentive compensation, bonus, restricted stock units, and benefits. More details about benefits can be found at F5 reserves the right to change or terminate any benefit plan without notice. Equal Employment Opportunity F5 provides equal employment opportunities to all employees and applicants without regard to unlawful considerations of race, religion, color, national origin, sex, sexual orientation, gender identity or expression, age, sensory, physical, or mental disability, marital status, veteran or military status, genetic information, or other protected classifications. This policy applies to all aspects of employment, including hiring, job assignment, compensation, promotion, benefits, training, discipline, and termination. F5 offers reasoned accommodations. Contact View email address on click.appcast.io if an accommodation is needed. Work Location Hybrid: Employees within 30 commutable miles of an F5 office must work from the office at least 30 business days per quarter. Remote: Primarily work from a designated home location but may travel to an F5 office or off‑site location as needed. #J-18808-Ljbffr